Monday, November 5, 2012

We are pleased to announce the first public offering of the Windows Memory Forensics for Analysts training course. This is the only memory forensics course officially designed, sponsored, and taught by the Volatility developers. One of the main reasons we made Volatility open-source is to encourage and facilitate a deeper understanding of how memory analysis works, where the evidence originates, and how to interpret the data collected by the framework's extensive set of plugins. Now you can reap these benefits first hand from the developers of the most powerful, flexible, and innovative memory forensics tool. Please see the following details about the upcoming training event:

The ability to perform digital investigations and incident
response is becoming a critical skill for many occupations.
Unfortunately, digital investigators frequently lack the training or experience
to take advantage of the volatile artifacts found in physical memory. Volatile
memory contains valuable information about the runtime state of the system,
provides the ability to link artifacts from traditional forensic analysis
(network, file system, registry), and provides the ability to ascertain
investigative leads that have been unbeknownst to most analysts. Malicious
adversaries have been leveraging this knowledge disparity to undermine many
aspects of the digital investigation process with such things as anti-forensics
techniques, memory resident malware, kernel rootkits, encryption (file systems,
network traffic, etc), and Trojan defenses. The only way to
turn-the-tables and defeat a creative digital human adversary is through
talented analysts.

This course will demonstrate why memory forensics is a
critical component of the digital investigation process and how investigators
can gain the upper hand. The course will
consist of lectures on specific topics in Windows memory forensics followed by
intense hands-on exercises to put the topics into real world contexts. Exercises will
require analysis of malware in memory, kernel-level rootkits, registry artifacts found in
memory, signs of data exfiltration, and much more. This course is your
opportunity to learn these invaluable skills from the researchers and
developers that have pioneered the field. This is also the only memory
forensics training class that is authorized to teach Volatility, officially
sponsored by The Volatility Project, and taught directly by the Volatility
developers.

It is recommended that students have some experience with the Volatility Framework.

Students should possess a basic knowledge of digital investigation tools and techniques.

Students should be comfortable with general troubleshooting of
both Linux and Windows operating systems (setup, configuration,
networking)

Students should be familiar with popular system administration tools (i.e. Sysinternals Utilities)

Student should be both familiar and comfortable with using the command line

Student should have a basic understanding of Python or similar scripting language

Course Structure

This is a 5-day course composed of both classroom learning and hands-on
training exercises and scenarios. All course material, lunches, and
coffee breaks will be provided (If you have unique dietary restrictions,
please make them known during registration).

Course Requirements

In order to fully participate in the course, students are required to
bring a properly pre-configured laptop. Students are encouraged to
bring laptops that can run both Linux and Windows, where either instance
is virtualized based on student preference. It is the student's
responsibility to make sure the laptop is configured prior to the
beginning of the course. There is no time built into the course schedule to
help people configure machines, so please make sure your laptop has
been properly configured before showing up for class.